On ke, 12 kesä 2019, Dmitry Perets via FreeIPA-users wrote:
Hi,
I observe a weird problem, trying to figure out how it could happen...
On one of my IPA installations, IPA doesn't recognize stage users, UNLESS they include
objectClass posixaccount.
For example, below output shows a staged user that I've manually added
with "ldapmodify", but as you can see, it is not found with "ipa
stageuser-find":
```
$ ldapsearch -Y GSSAPI uid=atest
SASL/GSSAPI authentication started
SASL username: admin(a)IMS.DCN.EXAMPLE.DE
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=ims,dc=dcn,dc=example,dc=de> (default) with scope subtree
# filter: uid=atest
# requesting: ALL
#
# atest, staged users, accounts, provisioning, ims.dcn.example.de
dn: uid=atest,cn=staged users,cn=accounts,cn=provisioning,dc=ims,dc=dcn,dc=ex
ample,dc=de
objectClass: top
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: person
uid: atest
sn: atest
givenName: atest
cn: atest
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
```
```
$ ipa stageuser-find
WARNING: yacc table file version is out of date
---------------
0 users matched
---------------
----------------------------
Number of entries returned 0
----------------------------
```
This user will be recognized, if I add the following attributes:
objectClass: posixaccount
uidNumber: -1
gidNumber: -1
homeDirectory: /home/atest
But this is not supposed to be so... and in fact, on another IPA
installation (totally separate) I don't see this constraint. The same
LDIF (just different base DN) gets properly recognized as staged user!
I was comparing the entire cn=config and the IPA server configuration
section, but I cannot find what setting can possibly affect this...
Yes, this should
not happen. 'ipa stageuser-find' actually replaces a
search filter that a baseuser object is using '(objectclass=posixaccount)'
by the following one:
(|(objectclass=posixaccount)(objectclass=inetOrgPerson))
https://pagure.io/freeipa/blob/ipa-4-6/f/ipaserver/plugins/stageuser.py#_447
If 'ipa stageuser-find' doesn't find it, you can enable server-side
debugging and retry, then you should see debug output in error_log.
Create /etc/ipa/server.conf
[global]
debug = True
and restart httpd, then retry.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland